【作者】 郑慧；

【导师】 陈思国；

【作者基本信息】 吉林大学 ， 计算机应用技术， 2004， 硕士

【摘要】 到20世纪70年代中期，人们才开始进行构建多级安全体系的系统研究。公认的入侵检测的开山之作是上个世纪80年代初，美国人詹姆斯·安德森（James P. Anderson）的一份题为《计算机安全威胁监控与监视》（Computer Security Threat Monitoring and Surveillance）的技术报告，第一次详细阐述了入侵检测的概念。在这之后，桃乐茜·顿宁（Dorothy Denning）的IDES（入侵检测专家系统）模型产生了。这是IDS早期研究中最重要的成就之一。80年代末，一些其它值得注意的系统开发出来，大部分走的是将统计学理论和专家系统结合在一起的路子。1990年是入侵检测系统发展史上的一个分水岭。这一年，加州大学戴维斯分校的L. T. Heberlein等人开发出了NSM。（The Network System Monitor）。NSM在入侵检测技术发展史上是继IDES之后的又一个里程碑。从此之后，入侵检测系统发展史翻开了新的一页，基于网络的IDS和基于主机的IDS两大阵营正式形成。很快，将基于主机和基于网络的检测方法集成到一起的分布式入侵检测系统（DIDS）研制出来了， DIDS是分布式入侵检测系统历史上的一个里程碑式的产品。从此入侵检测系统进入了一个平稳发展阶段。入侵检测系统（IDS）全称为Intrusion Detective System，它从计算机网络系统中的若干关键点收集信息，并分析这些信息，检查网络中是否有违反安全策略的行为和遭到袭击的迹象。入侵检测的定义为：识别针对计算机或网络资源的恶意企图和行为，并对此做出反应的过程。IDS则是完成如上功能的独立系统。IDS能够检测未授权对象（人或程序）针对系统的入侵企图或行为(Intrusion)，同时监控授权对象对系统资源的非法操作(Misuse)。 　 一般情况下人们将入侵检测系统分为基于网络的入侵检测和基于主机的入侵检测系统。基于主机的入侵检测系统对系统、事件和Window NT下的安全记录以及UNIX环境下的系统记录进行监测。当有文件发生变化时，IDS将新的记录条目与攻击标记相比较，看它们是否匹配。如果匹配，系统就会向管理员报警并向别的目标报告，以采取措施。基于网络的入侵检<WP=66>测系统使用原始网络包作为数据源。基于网络的IDS通常利用一个运行在随机模式下网络的适配器来实时监视并分析通过网络的所有通信业务。目前各种入侵检测系统还没有统一的标准，系统之间的互操作性很差，因此各厂商都在按照通用模型CIDF进行信息交换的标准化工作。Common Intrusion Detection Framework (CIDF)阐述了一个入侵检测系统（IDS）的通用模型。它将一个入侵检测系统分为以下组件：（1）事件产生器（Event generators）；（2）事件分析器（Event analyzers）；（3）响应单元（Response units）；（4）事件数据库（Event databases）对不同的检测环境进行分类,对不同的环境采用不同的检测方法和技术手段.这就是分布式入侵检测的思想。它采用多个检测部件,各检测部件选用不同的检测方法,协同合作,完成检测任务。这有利于取各种检测方法之长,以大幅度地提高检测效率和准确性。分布式入侵检测系统组件分布于各个网络节点上。这些组件收集的信息经过精简，传输到中央位置，进行网络事件的分析和关联。本文所论述的分布式入侵检测系统的体系结构包括边界传感器、主管传感器、中央控制台三个层次。边界传感器负责监视网络流量中的安全事件，做出攻击响应并报告给主管传感器，它们分布于网络边界，按网络规模的大小分成若干组。每个组有一个主管结点，称为主管传感器，负责收集从边界传感器传来的数据，然后利用本地规则集过滤器进行精简，再传送到中央控制台。中央控制台负责管理各个分布的入侵检测系统传感器的协同工作，分析检测结果并做出响应。这三层结构中的任一个结点均可对攻击以不同的方式进行响应。各个组件之间的通信采用入侵警报协议，加强了分布式入侵检测系统的安全性。 对于高校校园网络这种开放式的网络平台，有效的安全模型应在反病毒软件、防火墙和入侵检测系统等组件的基础上构建。针对目前校园网结构特点及面临的安全隐患，本文选择一所校区分散的大学的网络结构作框架，构建安全模型。本文试建立一个三级集中管理的安全网络模型，并在此基础上构建从边界防护、传输层防护，到核心主机防护的深层防御体系，以确保其网络系统的安全。三级集中管理网络模型:第一级：西校区总校的管理服务器负责总部网络防御策略的制定分发<WP=67>和信息收集，同时负责二级管理服务器群的策略制定。在防毒方面总校服务器还可以负责从有关网站上下载病毒库和杀毒引擎升级代码，向总校网络和二级管理中心提供升级服务。 　　第二级：二级管理服务器负责各分校区网络和分支机构的防御策略制定和分发， 同时负责向下属的没有设置管理中心的分支机构分发安全策略和升级代码。 　　第三级：三级管理服务器负责自己网络的客户端的安全策略的制定和分发。我们设计的目的是：通过在校园网中使用入侵检测系统，并充分融合专家系统、人工神经网络技术和代理技术，结合分布式网络入侵检测系统的优点，向系统提供了外部攻击和误操作的实时保护，更好地弥补了防火墙系统的局限性，使更多还原

【Abstract】 In the mid-1970, the people began to make systematic researches on constructing much level secure systems. The first system which was known by people in the early 80 last century, is that a technical report named Computer Securing Threat Monitoring and Surveillance which written by Jams P. Anderson, he told detailed the conception of intrusion detection. From now on, Dorothy Denning’s IDES model was come into being. It was one of the most important achievement in IDS early study.In the end of 1980, some other system was opened up, they combine statistics theory with expert system.The watershed of intrusion detection system developing history is in 1990. In this year, L.T.Heberlein worked in university opened up NSM(The Network System Monitor). NSM is another milestone in intrusion detection system developing history followed IDES. From now on, intrusion detection system developing history opened another new page, intrusion detection system network-based and intrusion detection system host-based were formed. Soon, DIDS(distribute intrusion detection system) was studied which gathered host-based with network-based detection method, DIDS was a milestone product in distribute intrusion detection system history. From then on, intrusion detection system enter the stable developing stage.IDS called ids, it gathered information from many key point in computer network system , then analysis these information, and check if there has the action which transgress safe police and the sign attacked in network. The definition of intrusion detection: identify the evil intentions and activity. which was directed against computer or network resources, and make a response course. IDS can detect intrusion or activity which was directed against system by person or program, at the same time, it can keep watch on misuse of system resource by empower person. <WP=69>People divide intrusion detection system into network-based and host-based. The intrusion detection system based on host will keep watch on the safe record under the system, affair and Windows NT. If the files has changed, IDS will compare the new record item with attacked sign, check if they are mated. If they are mated, the system will alarm to administer and report to the other aim. The intrusion detection system based on network use initial network package to regard as data resource. The intrusion detection system based on network often use network adapter run after random pattern to keep watch on and analysis all communication pass through network.Now, there isn’t unitary standard on ids, the operation between the system is very bad, so the factories exchange information according to CIDF(Common Intrusion Detection Framework). CIDF elaborate a common model of ids. It divides intrusion detection system into the following component: (1)Event generators; (2)Event analyzers; (3)Response units; (4)Event databases.To classify different detection environment, to use different detection way and technology to be direct against different environment, this is the thought of distribute intrusion detection. It use many detection component, each component use different detection method, work in coordination, accomplish detection task. This will benefit from all kinds of detection method, and raise detection efficiency and accurate. Distribute intrusion detection system component distribute each network node. The information gathered by component is simplified, delivered to central situation, working to analysis network affair and relation.Distribute intrusion detection system include boundary sensor, charged sensor, central controller three levels. The safe affair in network detected by boundary sensor, then it will make attacked response and report to charged sensor, they distribute network bound, they divided into many group according to network scale. There is a charged node in each group called charged sensor, which collect the data came from boundary sensor, then simplify them through local filter, deliver them to central <WP=70>controller. The central controller更多还原